DIGITALEUROPE’s position paper on software security updates

Executive summary

As the voice of the digital technology industry in Europe, DIGITALEUROPE represents many companies that drive the development of connected technologies, including the Internet of Things (IoT). Security of connected technologies is key to gaining and maintaining consumer trust. We believe that increased connectivity requires continuous innovation and investment in technologies and processes designed to enhance security.

DIGITALEUROPE members continuously invest in enhancing security, including the development of sophisticated software vulnerability management systems, software security update protocols and other measures to mitigate the exploitability and/or impact of vulnerabilities.

DIGITALEUROPE encourages EU policymakers to take a coherent and systematic approachto ensure that different initiatives – ranging from consumer protection rules, the EU cybersecurity certification framework and environment policy to rules and guidance on other policy areas – do not contradict each other:

We caution against a rigid ruleset. Overly prescriptive, heavy-handed rules such as fixed or excessive length or frequency requirements for software security updates, ignoring the dynamic nature and complexity of an ever more connected world, might adversely affect emerging technologies and stifle market-driven security innovation.

No simplistic, one-size-fits-all solution. The ICT security landscape is in constant flux and software security updates cannot resolve all security threats. Moreover, risks stemming from software vulnerabilities cannot be addressed by a given vendor alone – all parties, including intermediaries and users, have a role to play.